Microeliece: Mceliece for Embedded Devices
Total Page:16
File Type:pdf, Size:1020Kb
MicroEliece: McEliece for Embedded Devices Thomas Eisenbarth, Tim G¨uneysu, Stefan Heyse, Christof Paar Horst G¨ortz Institute for IT Security Ruhr University Bochum 44780 Bochum, Germany eisenbarth,gueneysu,heyse,cpaar @crypto.rub.de { } Abstract. Most advanced security systems rely on public-key schemes based either on the factorization or the discrete logarithm problem. Since both problems are known to be closely related, a major breakthrough in cryptanalysis tackling one of those problems could render a large set of cryptosystems completely useless. The McEliece public-key scheme is based on the alternative security assumption that decoding unknown lin- ear binary codes is NP-complete. In this work, we investigate the efficient implementation of the McEliece scheme on embedded systems what was – up to date – considered a challenge due to the required storage of its large keys. To the best of our knowledge, this is the first time that the McEliece encryption scheme is implemented on a low-cost 8-bit AVR microprocessor and a Xilinx Spartan-3AN FPGA. 1 Introduction The advanced properties of public-key cryptosystems are required for many cryp- tographic issues, such as key establishment between parties and digital signa- tures. In this context, RSA, ElGamal, and later ECC have evolved as most pop- ular choices and build the foundation for virtually all practical security protocols and implementations with requirements for public-key cryptography. However, these cryptosystems rely on two primitive security assumptions, namely the fac- toring problem (FP) and the discrete logarithm problem (DLP), which are also known to be closely related. With a significant breakthrough in cryptanalysis or a major improvement of the best known attacks on these problems (i.e., the Number Field Sieve or Index Calculus), a large number of recently employed cryptosystems may turn out to be insecure overnight. Already the existence of a quantum computer that can provide computations on a few thousand qubits would render FP and DLP-based cryptography useless. Though quantum com- puters of that dimension have not been reported to be built yet, we already want to encourage a larger diversification of cryptographic primitives in future public-key systems. However, to be accepted as real alternatives to conventional systems like RSA and ECC, such security primitives need to support efficient implementations with a comparable level of security on recent computing plat- forms. For example, one promising alternative are public-key schemes based on Multivariate Quadratic (MQ) polynomials for which hardware implementations were proposed on CHES 2008 [11]. In this work, we demonstrate the efficient implementation of another public- key cryptosystem proposed by Robert J. McEliece in 1978 that is based on coding theory [22]. The McEliece cryptosystem incorporates a linear error-correcting code (namely a Goppa code) which is hidden as a general linear code. For Goppa codes, fast decoding algorithms exist when the code is known, but decoding codewords without knowledge of the coding scheme is proven NP-complete [5]. Contrary to DLP and FP-based systems, this makes this scheme also suitable for post-quantum era since it will remain unbroken when appropriately chosen security parameters are used [8]. The vast majority1 of today’s computing platforms are embedded systems. Only a few years ago, most of these devices could only provide a few hundred bytes of RAM and ROM which was a tight restriction for application (and secu- rity) designers. Thus, the McEliece scheme was regarded impracticable on such small and embedded systems due to the large size of the private and public keys. But nowadays, recent families of microcontrollers provide several hundreds of bytes of Flash-ROM. Moreover, recent off-the-shelf hardware such as FPGAs also contain dedicated memory blocks and Flash memories that support on-chip storage of up to a few megabits of data. In particular, these memories can be used to store the keys of the McEliece cryptosystem. In this work, we present first implementations of the McEliece cryptosystem on a popular 8-bit AVR microcontroller, namely the ATxMega192, and a Xilinx Spartan-3AN 1400 FPGA which are both suitable for many embedded system applications. To the best of our knowledge, no implementations for the McEliece scheme have been proposed targeting embedded platforms. Fundamental oper- ations for McEliece are based on encoding and decoding binary linear codes in binary extension fields that, in particular, can be implemented very efficiently in dedicated hardware. Unlike FP and DLP-based cryptosystems, operations on binary codes do not require computationally expensive multi-precision integer arithmetic what is beneficial for small computing platforms. This paper is structured as follows: we start with a brief introduction to McEliece encryption and shortly explain necessary operations on Goppa codes. In Section 4, we discuss requirements and strategies to implement McEliece on memory-constrained embedded devices. Section 5 and Section 6 describe our actual implementations for an AVR 8-bit microprocessor and a Xilinx Spartan- 3AN FPGA. Finally, we present our results for these platforms in Section 7. 2 Previous Work Although invented already more than 30 years ago, the McEliece encryption scheme has never gained much attention due to its large keys and thus has not been implemented in many products. The most recent implementation of the McEliece scheme is due to Biswas and Sendrier [10] and presented a slightly modified version for PCs that achieves about 83 bit security (taken the attack in [8] into account). Comparing their implementation to other public key schemes, it turns out that McEliece encryption can even be faster than that of RSA and NTRU [7]. In addition to that, only few further McEliece software implemen- tations have been published up to now and they were all designed for 32 bit architectures [25, 26]. The more recent implementation [26] is available only as uncommented C-source code and was nevertheless used for the open-source P2P software Freenet and Entropy [15]. 1 Already in 2002, 98% of 32-bit microprocessors in world-wide production were inte- grated in embedded platforms. 2 Algorithm 1 McEliece Message Encryption Input: m, Kpub = (G,tˆ ) Output: Ciphertext c 1: Encode the message m as a binary string of length k 2: c‘ m Gˆ ← · 3: Generate a random n-bit error vector z containing at most t ones 4: c = c‘ + z 5: return c Algorithm 2 McEliece Message Decryption −1 −1 Input: c, Ksec = (P ,G,S ) Output: Plaintext m − 1:c ˆ c P 1 ← · 2: Use a decoding algorithm for the code C to decodec ˆ tom ˆ = m S −1 · 3: m mˆ S ← · 4: return m Hardware implementations of the original McEliece cryptosystem do not ex- ist, except for a proof-of-concept McEliece-based signature scheme that was de- signed for a Xilinx Virtex-E FPGA [9]. Hence, we here present the first FPGA- based hardware and 8-bit software implementation of the McEliece public-key encryption scheme up to date. 3 Background on the McEliece Cryptosystem The McEliece scheme is a public key cryptosystem based on linear error-correcting codes. The secret key is the generator matrix G of an error-correcting code with dimension k, length n and error correcting capability t. To create a public key, McEliece defined a random k × k-dimensional scrambling matrix S and n × n- dimensional permutation matrix P disguising the structure of the code by com- puting the product Gˆ = S × G × P . Using the public key Kpub = (G,tˆ ) and −1 −1 private key Ksec = (P ,G,S ), encryption and decryption algorithms can be given by Algorithm 1 and Algorithm 2, respectively. Note that Algorithm 1 only consists of a simple matrix multiplication with the input message and then distributes t random errors on the resulting code word. Thus, the generation of random error vectors requires an appropriate random number generator to be available on the target platform. Decoding the ciphertext c for decryption as shown in Algorithm 2 is the most time-consuming process and requires several more complex operations in binary extension fields. In Section 3.1 we briefly introduce the required steps for decoding codewords that we need to implement on embedded systems. As mentioned in the introduction, the main caveat against the McEliece cryptosystem is the significant size of the public and private key. The choice of even a minimal set of security parameters (m = 10, n = 1024,t = 38, k ≥ 644) according to [23] already translates to a size of 80.5 kByte for the public key and at least 53 kByte for the private key (without any optimizations). However, this setup only provides the comparable security of a 60 bit symmetric cipher. For appropriate 80 bit security, even larger keys, for example the parameters m = 11, n = 2048,t = 27, k ≥ 1751, are required (more details in Section 3.2). 3 Many optimizations (cf. Section 4.2) of the original McEliece scheme focus on size reduction of the public key, since the public-key has to be distributed. Hence, a size reduction of Kpub is directly beneficial for all parties. However, the situation is different when implementing McEliece on embedded platforms: note that the private key must be kept secret at all times and thus should be stored in a protected location on the device (that may be used in a potentially untrustworthy environment). An effective approach for secret key protection is the use of secure on-chip key memories that would require (with appropriate security features such as prohibited memory readback) invasive attacks on the chip to reveal the key. However, secure storage of key bits usually prove costly in hardware so that effective strategies are required to reduce the size of the private key to keep costs low.